- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 10 May 2010 22:45:34 -0400
- To: nathan@webr3.org
- CC: public-webapps <public-webapps@w3.org>
On 5/10/10 10:21 PM, Nathan wrote: > 2: Implement a user UI confirmation screen to allow JS applications xhr > access to other origin resources. (Similar to the allow desktop > notifications scenario in chromium) Under what conditions would the typical user be able to make an informed decision here? > 3: Standardise a way of having signed scripts that are trusted (like > mozilla have implemented) Mozilla is removing signed script support. It leads to too much complexity, is disabled by default for users anyway, etc. > Ideally, a long term shift towards global access unless denied by CORS > would be an ideal solution (imo), typically corporate sys admin's will > be a bit more up to speed when it comes implementing security features > than joe public, and quite sure that a security bulletin + a bit of > coverage around the web would get the information in to the right hands You're being _way_ too optimistic about this. "corporate sys admins" are still using HTML blacklists in HTML filters on a routine basis, after years of education attempts... > Surely we can't be dependent on CORS indefinitely, perhaps some form of > planned path as to how CORS might be phased out? CORS is only needed if you want to perform actions cross-site with the user's credentials on the other site, right? For that use case, I would in fact expect us to depend on CORS indefinitely. -Boris
Received on Tuesday, 11 May 2010 02:46:13 UTC